Re: Warning about kernel 4.2 performance (revised)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 5 Oct 2015 14:20:41 +0300
Stas Sergeev <stsp@xxxxxxx> wrote:

> 05.10.2015 12:47, Andrew Bird пишет:
> > Mmm, that thread is full of the same old rhetoric (i.e. it must be a risk as no one can be bothered/has time to check it and users
> > must be prevented from hurting themselves even if they've already jumped through hoops to enable mm.vm_addr=0, which is a known security
> > risk, so that dosemu can function with cpuemu=off). I do fail to see why the default can't have the vm86() syscall compiled in, but
> > disabled by default at run time.
> As Felix pointed, this is exactly what happens.
> But really, having never delivering dosemu, keeping vm86
> ON is pretty useless for them, so I won't bet on this to
> stay forever. But now as it can be disabled at run-time -
> the chances are big they'll no longer re-visit this subject
> and leave it as is.
> Note that AFAIK dosemu can't use vm86 on fedora even if
> enabled both compile-time and run-time, because selinux
> then prevents mapping zero page even if you enabled it in
> mmap_min_addr (but I may be wrong, someone needs to double-check
> also this). The security threat may come from the fact
> that you need to disable selinux.
> 
> 
Yes, I understand and if it stays that way that's great, I only wish Ubuntu were the same :-(

> > Regarding RHEL kernels, I've used CentOS 3, 4, 5 and 6 successfully with Dosemu cpuemu=off, so CONFIG_VM86=y was set on those.
> Have you disabled selinux?
I no longer use CentOS, but my notes indicate that I did disable it at the time.
This page
http://blog.namei.org/2008/02/15/mmap_min_addr-setting-may-mitigate-vmsplice-exploit/
suggests an selinux policy written for a specific app can be used to avoid the sledgehammer of disabling selinux, though I have no idea how to do that.

--
To unsubscribe from this list: send the line "unsubscribe linux-msdos" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Console]     [Linux Audio]     [Linux for Hams]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite Camping]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Samba]     [Linux Media]     [Fedora Users]

  Powered by Linux